topic Re: NATing through two firewalls(Datacenter-Edge) in Network Security

NATing through two firewalls(Datacenter-Edge)

ryoussef@toptech.com.eg — Fri, 21 Feb 2020 15:49:37 GMT

Hello Everyone ,

I try to publish a website from a server range , so i Make an autonat static nating on the firewall data-center but it didnt work and the internet connection on this server has been stopped !!

Note

*the firewall used on both firewall is FTD 2110

*the datacenter firewall pass the traffic through the edge firewall

*when i make this Nating on the edge firewall it works fine

Attached below may help you to understand the topology of my network

Any Ideas ?!!

Re: NATing through two firewalls(Datacenter-Edge)

Florin Barhala — Thu, 31 May 2018 06:59:36 GMT

Nice drawing : )). Now where's that server located on the diagram?
Some config output will help us get this though.

Re: NATing through two firewalls(Datacenter-Edge)

ryoussef@toptech.com.eg — Thu, 31 May 2018 09:24:13 GMT

Thank you 😄

I try to draw on visio and i make it very simple

i just need the idea of how to nat through the 2 firewall because i can nat from only the edge firewall

Re: NATing through two firewalls(Datacenter-Edge)

Florin Barhala — Thu, 31 May 2018 09:50:58 GMT

I am not sure why can't you NAT from the DC firewall? What's the error you get?
Also NAT is usually required for public/Internet access? Why do you need to NAT it twice?

Re: NATing through two firewalls(Datacenter-Edge)

ryoussef@toptech.com.eg — Thu, 31 May 2018 10:02:06 GMT

i can get internet access easily however i cannot publish any web server behind the datacenter firewall

i configured the NATing on both firewalls and all the vlans can access internet

The main issue is publishing the webserver on the server vlan(behind datacenter fw ) it not works

i test to publish the web server from the EDGE firewall it works fine

Re: NATing through two firewalls(Datacenter-Edge)

Florin Barhala — Thu, 31 May 2018 12:27:59 GMT

Now I finally got it ! : ))
This should be pretty easy though:
- post your NAT config on each FW
- I would also place a capture on the DC firewall on each of the two interfaces: "outside and inside" ; here's my strategy on the DC firewall:
access-list capt_DNAT permit ip host public_source_IP_from_where_you_test host server_private IP
access-list capt_DNAT permit ip host server_private IP host public_source_IP_from_where_you_test
capture cap1 interface inside access-list capt_DNAT
capture cap2 interface outside access-list capt_DNAT

Try connecting on the port from public_source_IP_from_where_you_test then check captures output.